The SitePoint Forums have moved.

You can now find them here.
This forum is now closed to new posts, but you can browse existing content.
You can find out more information about the move and how to open a new account (if necessary) here.
If you get stuck you can get support by emailing forums@sitepoint.com

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

forgot password script injected

Can someone help me out with this bit of code. Today when i tryed to onto the administrators side of my site i was greeted with not being abke to log in because my password had been changed. Now i have gotten 33 emails in reguard to this on march 3, meaning 33 requests for email change from my server for my acount. Like i said i just tryed to log in and the hashed password was different, so obviously someone changed something somehow, someone redirected the password recovery to their email acount, or they could have even bypassed that im not sure, all i know is i need to get this fixed.

I see you don't change the password directly, the password won't get changed after a person gets to => ?p=forgot&code=' . $random

He is changing the password and sending the mail before it's confirmed the account holder actually wanted to change their password. You're describing what he should be doing, not what he is doing.

yarray,

That's what you'll need to do. The password should not be touched until the owner of the email address on file clicks a link in their email. Nothing should be touched until it's confirmed that someone w/ access to the email address wants it to be.

I see you're creating a random code when an user requests his password. At the "forgetnew" page, you get the username just by selecting the username with that random code.

I don't think that's real safe. However it's (almost) impossible to guess that number and creating an random code which is exactly the same as another random code you created before is as impossible either. But there still is a chance!
I think you should create this whole password recovery system over, cause it is really necessary that this works 100&#37; safe.

What I think your problem is right know is, what lorenw said before, an SQL injection.
What if some user typed in something like this:

?code=1 OR username=admin

The above example doesn't work, but I'm sure there is an injection for this one.

Your solution:
Use mysql_real_escape_string as lorenw said. I see the random code you generate is an unique_id(), so I guess this are numbers only? Then you should check the url input $_GET['code'] with ctype_digit(), so only numbers would be accepted.